https://community.splunk.com/t5/Splunk-Cloud-Platform/query-help/m-p/754132#M4019 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/258639">@Praz_123</a>&nbsp;</P><P>Try using the bin command before your first stats, something like this should work:</P><LI-CODE lang="markup">index="_internal" source="*license_usage.log" type=Usage earliest=-3d@d latest=@d | bin span=1d _time | stats sum(b) as usage by _time, h | eval usage_in_GB = usage / 1024 / 1024 / 1024 | where usage_in_GB &gt; 2 | stats sum(usage_in_GB) as total_usage_GB by h | sort - total_usage_GB | head 10</LI-CODE><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P><P>&nbsp;</P> Thu, 09 Oct 2025 14:55:16 GMT livehybrid 2025-10-09T14:55:16Z https://community.splunk.com/t5/Splunk-Cloud-Platform/query-help/m-p/754127#M4018 <P>query is -<BR /><BR />index="_internal" source="*license_usage.log" type=Usage h="abc" earliest=-3d@d latest=@d | stats sum(b) as usage by _time | eval usage_in_GB = usage / 1024 / 1024 / 1024 | timechart span=1d sum(usage_in_GB) as usage_GB<BR /><BR />with the query I can see for specific host but I need a query to see top 10 host which are using daily more than 2gb usage<BR /><BR /><BR />while using the below am not getting the results :-<BR /><BR />index="_internal" source="*license_usage.log" type=Usage earliest=-3d@d latest=@d<BR />| stats sum(b) as usage by _time, h<BR />| eval usage_in_GB = usage / 1024 / 1024 / 1024<BR />| where usage_in_GB &gt; 2<BR />| stats sum(usage_in_GB) as total_usage_GB by h<BR />| sort - total_usage_GB<BR />| head 10<BR /><BR /></P> Thu, 09 Oct 2025 14:24:46 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/query-help/m-p/754127#M4018 Praz_123 2025-10-09T14:24:46Z https://community.splunk.com/t5/Splunk-Cloud-Platform/query-help/m-p/754132#M4019 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/258639">@Praz_123</a>&nbsp;</P><P>Try using the bin command before your first stats, something like this should work:</P><LI-CODE lang="markup">index="_internal" source="*license_usage.log" type=Usage earliest=-3d@d latest=@d | bin span=1d _time | stats sum(b) as usage by _time, h | eval usage_in_GB = usage / 1024 / 1024 / 1024 | where usage_in_GB &gt; 2 | stats sum(usage_in_GB) as total_usage_GB by h | sort - total_usage_GB | head 10</LI-CODE><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P><P>&nbsp;</P> Thu, 09 Oct 2025 14:55:16 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/query-help/m-p/754132#M4019 livehybrid 2025-10-09T14:55:16Z https://community.splunk.com/t5/Splunk-Cloud-Platform/query-help/m-p/754149#M4020 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/258639">@Praz_123</a>&nbsp;<BR />For each day if you want to check try below,</P><LI-CODE lang="markup">index=_internal source="*license_usage.log" type=Usage earliest=-3d@d latest=@d | eval usage_in_GB = b/1024/1024/1024 | bin _time span=1d | stats sum(usage_in_GB) as daily_usage_GB by _time h | where daily_usage_GB &gt; 2 | sort - daily_usage_GB | head 10</LI-CODE> Fri, 10 Oct 2025 04:26:33 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/query-help/m-p/754149#M4020 PrewinThomas 2025-10-10T04:26:33Z